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ABSTRACT 

The Information Systems (IS) curriculum needs to be updated frequently due to the rapid rate of 
advances in information systems (IS) and the technologies that drive IS, and also industry’s skill 
requirement of IS graduates. This paper describes a Career Skills Oriented Approach to enhance 
the graduate IS curriculum based on current information from recent career skills studies, United 
States Bureau of Labor Statistics (BLS), MSIS2000 model curriculum recommendations, the 
current demand for information security professionals, professional certifications in demand, and 
the resources required. 
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INTRODUCTION 



he mission of a typical Information System (IS) program is to develop, publicize and apply 
knowledge of information system (IS) and the technology that drives IS. To fulfill this mission, the 
program will: 


1. Educate and train students with the required skills as professionals and prepare them for positions of 
leadership in industry; 

2. Conduct and publicize research in IS to improve the management and application of IS in organizations and 
to enhance IS pedagogy; and 

3. Provide service that responds to the needs of the institution, enterprises, professional societies, 
governmental agencies, and other organizations that may benefit from the expertise of its faculty and 
students. 

Beginning from the 1980s to the late 1990s, the competitiveness of US business has been eroding. Hayes 
and Abernathy's 1980 Harvard Business Review article, "Are We Managing Our Way to Economic Decline?" 
signaled the growing awareness in the U.S. that effective management of technological innovation was becoming a 
high-priority concern of U.S. business. Organizations have begun the great migration to adopt the Internet as a 
vehicle to deliver various services including electronic commerce, web-based collaboration, web-based surveys, 
assessment and evaluation, web data mining, distance education, intelligent agents, electronic data interchange, 
patient and health informatics. The rapid adoption by businesses not only of the Internet, but also the Intranet and 
Extranet has pushed the fringes of information systems towards a new frontier. Development in information 
systems has been driven by these technological trends. The digital revolution is here. As the world continues to 
adopt distributed, network centric systems, the dawn of the networked economy grows brighter. There has been 
much advancement in technology and innovation in organizations especially this past decade. In the early 2000s, 
Intel's Chairman Andy Grove predicted that by 2005 only companies that have adopted the Internet as a mission 
critical technology would survive. His prediction seems to be correct; this means that all companies have to address 
technology as a critical element in their strategic management. It is of critical importance that organizations manage 
its resources and keep in pace with the advances so as not to lose its competitive advantage. In accordance with 
these trends, the IS curriculum needs to be brought up-to-date to reflect current technology trends and industry’s 
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skill requirements of IS graduates; and also to meet accreditation requirements. The Association for Information 
Systems over the past 3 decades has developed a model graduate curriculum based on technology trends and 
industry’s needs. The latest version of the model curriculum is the MSIS2000 model curriculum. The US Bureau of 
Labor Statistics has published data for the projected occupation needs of industry from 2006-2016. The occupation 
(job title) provides the information for the skills in demand. This paper describes a career skills oriented approach 
based on recent studies on career skills in demand (Luftman, 2006) and (Prabhakar, et al, 2005), current data from 
the Bureau of Labor Statistics (BLS), MSIS 2000 model curriculum recommendation, current demand for 
information security professionals, professional certification in demand (Hilbink, 2004), (IDC, 1999), and (Ray & 
McCoy, 2000), and the resources required. While the BLS projected occupational data, the current demand for 
information security professionals, the demand for various professional certifications and recent studies provided the 
basis for determining the career skills required by industry; the IS model curriculum provided the structure that 
supported the proposed curriculum. This paper is divided into 4 main sections. Section 1 provides an overview of 
how the proposed curriculum is derived. Section 2 presents the proposed graduate curriculum. Section 3 discusses 
certification and recommends the relevant professional certificate (based on the skill set) that is needed in industry. 
The final section reviews the current status of the IT skills requirements in industry and assesses some possible 
future trends. 

OVERVIEW 

There has been a consistent trend of increasing demand for IT professionals. 1 The “Numeric Change in 
Total Employment, 2006-2016” projection data from BLS shows annual job openings from 9,000 (Computer and 
Information Systems Managers), 9,000 (Programmers), 24,000 (Computer Support Specialists), 28,000 (Computer 
Systems Analysts) to 30,000 (Computer Software Applications Engineer). The “Fastest Growing Occupations, 2006- 
2016” projection data shows number of job increases from 34,000 (Database Administrators), 140,000 (Network 
Systems and Data Communications Analysts), 146,000 (Computer Systems Analysts), to 226,000 (Computer 
Software Applications Engineer). (This data is extracted from the BLS website at http://data.bls.gov) The demand 
for IT professionals has also resulted in significant salary increases. 

A recent paper (Luftman & Kempaiah, 2007) stated that between 2006 and 2012, 1 out of every 4 new jobs 
will be IT related. Also, as the baby boomers of the dot-com era retire over the next 5 years, the shortage of IT 
professionals is expected to increase. A 2006 Society of Information Management (SIM) survey (Luftman, 2006) 
shows the top 10 skills employers are looking for when hiring mid-level employees (See Table 1). 


Table 1: Top 10 skills employers are looking for when hiring mid-level employees 


1. Communication 

2. Project Leadership 

3. Functional Area Knowledge 

4. Business Process Design/Reengineering* 

5. Managing Expectations* 

6. Change Management* 

7. Systems Analysis* 

8. IT Architecture/Standards 

9. User Relationship Management 

10. Project Integration/Program Management 

* Ties 


An earlier IT skills study conducted by (Prabhakar, et al, 2005) found that web programming has the 
highest demand (in 42.6% of job ads). In Web programming, C++ programming has the highest demand while Java 


1 The term “IT Professionals” is used synonymously with “IS professionals.” There is little difference in training and job 

skills between them. 
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and/or SQL programming is demanded in more than 20% of the job ads and the demand continues to grow stronger. 
.NET skills represented about 13% of the skills sought by IT employers. The demand for database. Enterprise 
Resource Planning (ERP) and e-commerce server skills are: for database skill, over 22% of all positions require 
Oracle while SQL server skills accounted for 16% of all IT jobs; the demand for ERP skills (such as SAP, Oracle 
and PeopleSoft) is slightly over 13%; the demand for e-commerce server skills is under 9% but is expected to 
increase with the e-commerce market. It was also found that an average of 5% of all positions advertised required 
vendor or industry certifications. There is indication that in a tight job market, a candidate with certification has an 
edge over another without certification. In summary, Web programming, C++, Java, SQL programming and Oracle 
database skills seems to be the top skills in demand. 

Since the 9/11 attacks on US soil, there have been a tremendous amount of effort spent on improving and 
strengthening the infrastructure of the US. A principal component of the infrastructure is the information 
infrastructure. Each day millions of dollars of business transactions and many communication channels are 
conducted through the information infrastructure via the Internet. Organizations of all types (business, academia, 
government, etc.) are facing risks resulting from their ever-increasing reliance on the information infrastructure. 
Business, government, and non-profit institutions have expressed difficulty finding personnel with appropriate 
training in cyber security tools. Such training requires hands-on experience with secure systems work, yet many 
institutions of higher learning lack the resources to provide that experience. As a consequence of this, the 
government, through the Department of Defense issued Directive 8570.1M officially in 2006. This directive requires 
both technical staff and managers with privileged system access performing Information Assurance (IA) functions at 
computing, networking or enclave positions be trained and hold appropriate certifications accredited by the 
American National Standards Institute (ANSI). It also requires that all users be trained by 2010. The government has 
allocated funding in the millions for this purpose. The list of approved certifications is as follows: 


Table 2: Table of approved security certificates by level 


Technical Level I 

Technical Level 2 

Technical Level 3 

A+ 

GSEC 

CISA 

Network+ 

Security+ 

CISSP 

SSCP 

SCNP 

GSE 


SSCP 

SCNA 

Management Level I 

Management Level 2 

Management Level 3 

GISF 

GSLC 

GSLC 

GSLC 

CISM 

CISM 

Security+ 

CISSP 

CISSP 


* There is a glossary of the abbreviations in Appendix 1. 


According to Lynn McNulty, CISSP, director of government affairs for (ISC) 2 (news release January 9, 

2006): 


The initiative represents a commitment by DoD officials to create and maintain a world class IA 
workforce that can meet the challenges of the digital battlefield and indicates a clear confidence in 
professional certification as a key component in improving the education, management and 
continued evolution of that workforce. 

In an earlier presidential directive, the National Security Agency (NSA) in the spirit of Presidential 
Decision Directive 63, National Policy on Critical Infrastructure Protection, May 1998, designed and operated the 
National Centers of Academic Excellence in Information Assurance Education (CAEIAE) and the CAE-Research 
(CAE-R) outreach programs. Currently the NSA and the Department of Homeland Security (DHS) in support of the 
President's National Strategy to Secure Cyberspace, February 2003, jointly sponsor the program. From the NSA 
website: 


The goal of the program is to reduce vulnerability in our national information infrastructure by 
promoting higher education in information assurance (IA), and producing a growing number of 
professionals with IA expertise in various disciplines. 
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Under the CAEIAE program, 4-year colleges and graduate-level universities are eligible to apply 
to be designated as a National Center of Academic Excellence in IA Education. Institutions 
meeting the Carnegie Foundation's classifications of Research University/Very High (RU/VH), 

Research University/High (RU/H) and Doctoral Research University (DRU) are eligible to apply 

for CAE-R.CAEIAEs and CAE-Rs receive formal recognition from the U.S. government, as 

well as opportunities for prestige and publicity, for their role in securing our nation's information 
systems. 

Institutions awarded the designation are eligible to apply for scholarships and grants through several 
Information Assurance Scholarship Programs offered by the federal government. In addition, such institutions are 
encouraged to conduct research in information assurance and may become focal points of recruiting by federal 
departments and agencies seeking individuals with information assurance expertise. 

As it is an involved process for institutions aspiring to be Centers of Excellence in Information Assurance, 
this paper will only propose a few security skills based courses instead of outlining the complete process. For more 
information on the application process and the criteria, see the NSA web page at 

http://www.nsa.gov/ia/academia/caeiae.cfm The proposed IS graduate curriculum will include two security courses. 
In addition, a module of security concepts is recommended to be integrated into other IS courses. 

(Prabhakar, et al, 2005) provided demand information for specific IT skills based on his analysis of job ads 
between 2002 and 2005 while (Luftman, 2006) provided information for IT skills based on his survey of SIM 
members. From these two studies (and other reliable sources such as business journals or newspaper reports, 

government bulletins, etc), academicians can harness the information provided to update and enhance the IS 

curriculum just-in-time to educate and train undergraduates in the skills that industry needs. Thus, the IS curriculum 
should be developed to meet the demands of industry based on IT skills studies, BLS employment statistics (using 
the job titles and its job description) and on the skills that are in demand (for example, information 

assurance/security) as mandated by the government through the provision of grants for training, research and 
development. Skills requirement has typically been updated into the IS model curriculum. 

This paper will use the career skills information to propose a IS curriculum that integrates these career 
skills into various courses. The proposed IS curriculum is structured based on the MSIS2000 model curriculum and 
enhanced by these career skills based courses. The proposed IS courses are mapped to the Common Body of 
Knowledge (CBOK) of the model curricula and content of the professional certification, if applicable. 

Each IS program need to find a niche to fully exploit its expertise and attract students. From recent studies 
and the unique resources of each IS program, it is possible to focus on information assurance/security, systems 
analysis and design, IS project management, ecommerce, web application development, application software 
development or global information technology management. 

The IS model curricula is important as it defines a CBOK that IS graduates should possess. This is well 
expended by the foreword to the MSIS2000 model graduate curriculum: 

University-level Information Systems (IS) curricula need frequent updating to remain effective. 

Model curricula developed by task groups from professional societies aid universities in their 
curricula development and updating efforts by providing four inputs: 

• The common body of knowledge that graduates are expected to know. This helps counter 
local requirements bias and helps graduates to be prepared for positions in a large 
geographic area. 

• A program structure with suggested courses and course sequences. 

• Rationale for the program and the resources required for it. 

• Rationale for investment in faculty development to keep faculty members up to date with 
rapidly changing technology. 
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The value of model curricula such as MSIS 2000 are also based on a strong, increasing demand for 
university-trained graduates who can meet the changing needs of the information economy. A 
degree program in information systems cannot teach every fact or every process that will be 
needed by the graduate; its objective is to provide the fundamentals that support productive 
employment and provide a basis for lifelong learning. 

The proposed graduate IS curriculum will adapt from the CBOK from the MSIS2000 model graduate 
curriculum which was developed over 3 decades based on the skills demand in industry. Detailed specifications can 
be found from the MSIS2000 document listed in the Reference section. See Figure 1 below. 


FOUNDATION 

IS Foundations (Technical Prerequisites) 

IS'97.1 - Fundamentals of Information Systems 
IS’97.4 - Information Technology Hardware and Software 
IS'97.5 - Programming, Data and Object Structures 

Business Foundations (Business Prerequisites) 

Financial Accounting 
Organizational Behavior 
Marketing 

IS CORE 

MSIS20Q0.1 - Data Management 
MS1S2000.2 - Analysis, Modeling and Design 
MSIS20Q0.3 - Data Communications and Networking 
MS!S2Q00.4 - Project and Change Management 
MSiS2QQ0.5 - IS Policy and Strategy 
MSIS20D0.6 - Integration. One of the following: 

MSIS2000.6.1 - Integrating the Enterprise 
MSIS2000.6.2 - Integrating the IS Function 
MSIS20D0.6.3 - Integrating IS Technologies 

MSIS20D0.6.4 - Integrating the Enterprise, IS Function and IS Technologies 
CAREER ELECTIVES 

Four career-oriented courses — may include a practicum. See Table 3 (page 13) for represen¬ 
tative lists 


Figure 1: Summary of Curriculum Course Requirements 


The IS Foundations and Core areas from the MSIS2000 model graduate curriculum are as shown next: 


Table 3: MSIS2000 IS Foundations and Core Areas 


MSIS2000 IS Foundations 

IS’97.1 - Fundamentals of Information Systems 

IS’97.4 - Information Technology Hardware and Software 

IS’97.5 - Programming, Data and Object Structures 


MSIS2000 IS Core 

MSIS2000.1 - Data Management 

MSIS2000.2 - Analysis, Modeling and Design 

MSIS2000.3 - Data Communications & Networking 

MSIS2000.4 - Project and Change Management 

MSIS2000.5 - IS Policy and Strategy 

MSIS2000.6 - IS Integration 


The proposed IS courses are mapped to the IS Foundations and Core areas of the MSIS2000 model 
graduate curriculum (see Table 4). The proposed career track will each have 4 courses that are relevant to the local 
context instead of the recommended course electives. Also, as a result of the current demand for IS security skills, 
the proposed IS graduate curriculum will include 2 security courses - IS755 Security Risk Analysis and IS757 
Information Security. In addition, a module of security concepts is recommended to be integrated into other courses. 
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The recent skills in demand studies by (Luftman, 2006) and (Prabhakar, et al, 2005) indicated that there is a 
substantial demand for application software development (in C++, Java, SQL Programming or .Net languages) and 
project management (including project leadership, program management and business process re-engineering). It is 
thus proposed that IS745 Application Software Development and IS747 IS Project Management be added to the IS 
curriculum. 

As the world evolve into a net economy, globalization is now prevalent in all aspects of our lives; this 
offers the IS program, the unique opportunity to include the study of global IS in its curriculum. It is therefore 
proposed that a course IS410 Global IT Management be created. 

Also, as business research is a critical skill not only in academia but also in the fast-moving IS industry, it 
is proposed that a course “18601 Research Methods in Information Systems” be included in the IS core which will 
strengthen and provide a better balance to the overall IS core courses and also in view of accreditation exercises. 
The next section will discuss the proposed graduate IS curriculum in more complete details. 

PROPOSED GRADUATE CURRICULUM 

This section will propose a sample IS option curriculum for the graduate student. A table of the comparison 
of the model curriculum IS courses with the proposed courses is presented; followed by the proposed course 
sequence and requirement for the IS option. The career track is introduced to enable beginning graduate students to 
choose a career then plan their course schedule based on the required courses and electives for that career track. The 
Career Track Contract lists the courses a student will take and helps track the student’s progress through the 
program. A sample Information Security Career Track Contract and a sample Expanded Course Outline for IS755 
Security Risk Analysis can be found in Appendix 2 and 3 respectively. 

Student career track contracts also serve another purpose — if advisors/schedulers know the courses that 
students are planning to take, a more definite and concrete class schedule can be planned each term. Also, when 
students choose career tracks they specialize in a set of skills that enable them to complete projects, for example, 
create an impressive website, create an impressive information system design or use some state of the art computer 
tools. Students can showcase their projects during open houses for student recruitment and also aid retention of 
students. Students’ projects can also be entered for competitions. It is also possible to organize competitions in the 
IS program’s career niche areas. 

The proposed IS graduate courses are based on the recommended IS Foundations and Core courses in the 
MSIS2000 model graduate curriculum and adapted to fit the unique context of the IS program. The career electives 
section of the MSIS2000 model curriculum recommended 4 courses for each career track. The 4 courses for each 
career track can be chosen to reflect the unique resources of each IS program. The IS Foundations and Core areas 
from the MSIS2000 model graduate curriculum can be mapped to the proposed IS courses as follows: 


Table 4: MSIS2000 IS Foundations and Core Areas Mapped to IS Courses 


MSIS2000 IS Foundations 

Proposed Graduate IS courses 

IS’97.1 - Fundamentals of Information Systems 

IS595 Information Systems for Management 

IS’97.4 - Information Technology Hardware and Software 

IS710 Systems Hardware and Software 

IS’97.5 - Programming, Data and Object Structures 



MSIS2000 IS Core 

Proposed IS courses 

MSIS2000.1 - Data Management 

IS720 Database Management Systems 

MSIS2000.2 - Analysis, Modeling and Design 

IS715 Systems Analysis and Design 

MSIS2000.3 - Data Communications & Networking 

IS750 Data Communications and Networks 

MSIS2000.4 - Project and Change Management 

IS747 IS Project Management 

MSIS2000.5 - IS Policy and Strategy 

IS765 Information Systems Strategy and Management 

MSIS2000.6 - IS Integration 


70 




American Journal of Business Education - March/April 2009 _ Volume 2, Number 2 

A complete list of all the proposed graduate IS courses can be found on Table 5. The additional courses 
(highlighted in Table 5) are career track courses for the 4 career track options. 


Table 5: List of Proposed Graduate IS Courses 



Proposed Graduate IS Courses 

Credit 

1 

IS595 Information Systems for Management 

3 

2 

IS601 Research Methods in Business Information Systems 

3 

3 

IS705 Electronic Business 

3 

4 

IS706 Cyber Law, Policy and Ethics 


5 

IS710 Systems Hardware & Software 

3 

6 

IS715 Systems Analysis and Design 

3 

7 

IS720 Database Management System 

3 

8 

IS735 Global Information Technology Management 

3 

9 

IS740 Decision Support Systems 

3 

10 

IS745 Application Software Development 

3 

11 

IS747 IS Project Management 

3 

12 

IS750 Data Communication & Networks 

3 

13 

IS755 Security Risk Analysis 

3 

14 

IS757 Information Security 

3 

15 

IS760 Current Topics in IS 

3 

16 

IS765 Information Systems Strategy and Management 

3 


NOTE: 

1. It is possible that the course “IS601 Research Methods in Business Information Systems” to be the IS core 
course for the IS option. 

2. The proposed course IS755 is updated to include the CBOK for the Certified Information Systems Auditor 
(CISA). See Section 3 for more details. 

3. The proposed course IS715 is updated to include the CBOK for the IBM Certified Solution Designer 
(Object Oriented Analysis and Design, vUML 2). See Section 3 for more details. 

The proposed graduate IS courses are developed and mapped to the CBOK of MSIS2000 model curriculum as 
shown in Table 4. The following illustration shows the proposed graduate IS course sequence. 

Proposed Graduate IS Option Course Sequence 



Figure 2: Proposed Graduate IS Course Sequence 
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Mapping the proposed IS curriculum to the MSIS2000 model curriculum, the required IS courses are 
illustrated in the following table. 


Table 6: Table of Required Graduate IS courses 



Proposed Required Graduate IS Courses 

1 

IS595 Information Systems for Management 

2 

IS601 Research Methods in Information Systems 

3 

IS710 Systems Hardware and Software 

4 

IS720 Database Management Systems 

5 

IS715 Systems Analysis and Design 

6 

IS750 Data Communications and Networks 

7 

IS745 Information Systems Strategy and Management 

8 

IS747 IS Project Management 


plus 3 Career Track Courses 


From the skills in demand by employers (Luftman, 2006) and (Prabhakar, et al, 2005), the demand for 
information security mandated by the government, the demand for professional certification (Hilbink, 2004), (IDC, 
1999), and (Ray & McCoy, 2000), the recommended MSIS2000 model graduate curriculum (as illustrated in Table 
4) and the unique resources of the IS program, it is possible that career tracks be focused at, for example. Business 
Systems Analysis, Electronic Business (or Web-based Business), Information Assurance/Security, or Management 
Information Systems. Each career track has 2 required courses and students have to choose an additional 1 out of 2 
courses from the electives in the track. The career tracks with their required courses and elective courses are: 

1. Business Systems Analysis 

1. IS 745 Application Software Development (Required) 

2. IS 747 IS Project Management (Required) 

3. IS 755 Security Risk Analysis OR 

4. IS 705 Electronic Business. 

2. Electronic Business 

1. IS 705 Electronic Business (Required) 

2. IS 735 Global IT Management (Required) 

3. IS 740 Decision Support Systems OR 

4. IS 757 Information Security. 

3.Information Systems Security 

1. IS 755 Security Risk Analysis (Required) 

2. IS 757 Information Security (Required) 

3. IS 706 Cyber Law, Policy and Ethics OR 

4. IS 705 Electronic Business. 


4. Management Information Systems 

1. IS 735 Global IT Management (Required) 

2. IS 740 Decision Support Systems (Required) 

3. IS 757 Information Security OR 

4. IS 760 Current Topics in IS. 

The content of the courses in the career tracks can include CBOK from its professional certification. For 
example, courses from the Information Systems Security career track can include CBOK from the Information 
Systems Audit and Control Associate (ISACA) Certified Information Systems Auditor (CISA) certification. Also 
courses from the Business Systems Analysis career track can include CBOK from the IBM Certified Solution 
Designer - Object Oriented Analysis and Design (UML 2) certification or the International Institute of Business 
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Analysis (IIBA) Business Analyst certification. In addition, the IS Project Management course can include CBOK 
from the Project Management Institute (PMI) Project Management Professional (PMP) certification. A sample 
Information Systems Security Career Track Contract can be found in Appendix 2. The next section will discuss 
professional certification. 

PROPOSED CERTIFICATION PREPARATION CURRICULUM 

Employers are increasingly demanding that potential and existing employees be professionally qualified in 
the skills required. According to the paper by (Ray, et al, 2000), a study conducted by IDC, Incorporated (1999), 
found that 92% of the managers surveyed stated that they realized all or some of the benefits they expected from 
their certified employees. The top 5 benefits expected are: greater knowledge and increased productivity, a certain 
level of expertise and skill, improved support quality, reduced training costs and higher morale and commitment. 
The paper also reported that employees with certification commanded higher salary. A whitepaper by (Hilbink, 
2004) stated that industry studies show that certified employees demonstrate higher productivity, make fewer errors 
and possess more skills valued by the customers. Certification can also differentiate a company and create a 
competitive advantage. A Gartner survey found that companies offering a strong training and education program 
often attracted the strongest job candidates and that certification is a cost-effective way of rewarding valued 
employees while investing in the future of the company. Industry research shows that smaller companies average 
30-90% return on investment over a one year period, while larger companies with more certified employees see 
returns of 65-200%. The return is measured by reduction in downtime, an increase in productivity or sales and a 
decrease in costs due to mistakes or inefficiencies. 

From (Luftman, 2006) and (Prabhakar, 2005), skills in high demand include systems analysis and design, 
project management, Web programming (or development), Java programming and information security (based on 
the emphasis by the US government). Professional certifications are available for each of these skills. Each 
certification has a CBOK. Professional certifications are earned from a professional society and, generally, need to 
be renewed periodically, or may be valid for a specific period of time. A professional body or professional 
organization, also known as a professional association or professional society, is an organization, usually non-profit, 
that exists to further a particular profession, to protect both the public interest and the interests of professionals 
(from http://en.wikipedia.org/wiki/Professional_society). As a part of a complete renewal of an individual's 
certification, it is common for the individual to show evidence of continual learning - often termed continuing 
education or earning continuing education units (CEU)(from http://en.wikipedia.org/wiki/ Professional 
certification ). 

As a result of the existing and continuing demand for professional certification, it is recommended that 
proposed courses in the IS curriculum cover part or if possible, the whole of the CBOK. The School of Management 
through the IS program can also work towards being an academic partner for some of these professional 
certification, for example, IBM (Systems Analysis & Design certification). Sun Micro System (Java certification). 
Project Management Institute (PMI) (Project Management Professional certification). Information Systems Audit 
and Control Association (ISACA) (Information Systems Auditor or Information Security Manager certifications). 
International Institute of Business Analysis for Systems Analysis & Design (IIBA) (Business Analyst certification) 
or Microsoft (Microsoft Computer Professional certification). Typically, each certification requires a few courses to 
adequately cover its CBOK. 

Often mid-level managers do not have the option of taking semester-long courses over months or years. 
“Crammed” or intensive courses are more viable in such an instance. The IS program should also create such “crash 
courses” or “boot-camp” type certification classes. The classes can be offered as compressed certificate programs. 
Typically 4 or 5 classes are required for each certificate. The duration for each class is usually 4-5 full days. 
However, the classes can be customized as well. These classes can be offered through the professional extension 
program or through a center of excellence in a School of Management. Faculty will be able to teach these classes 
without much additional preparation as the class content matches closely to the regular course offered. The classes 
do not have to be taken immediately one after the other. They can be scheduled. 
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From the International Institute of Business Analysis (IIBA) certification CBOK, 2 of the classes for the 
Business Systems Analysis and Design Certificate can be made up of: 

1. Application Program Development, and 

2. Information Technology Project Management 

The Application Program Development class will cover: 

1. Enterprise Analysis 

Enterprise Analysis describes how we take a business need, refine and clarify the definition of that need, 
and define a solution scope that can feasibly be implemented by the business. It covers problem definition 
and analysis, business case development, feasibility studies, and the definition of a solution scope. 

Purpose 

Identify and propose projects that meet strategic needs and goals. 

2. Elicitation 

Elicitation describes how we work with stakeholders to find out what their needs are and ensure that we 
have correctly and completely understood their needs. 

Purpose 

Explore, identify and document stakeholder needs. 

3. Requirement Analysis 

Requirements Analysis describes how we progressively elaborate the solution definition in order to enable 
the project team to design and build a solution that will meet the needs of the business and stakeholders. In 
order to do that, we have to analyze the stated requirements of our stakeholders to ensure that they are 
correct, assess the current state of the business to identify and recommend improvements, and ultimately 
verify and validate the results. 

Purpose 

1. Progressively elaborate stated requirements to sufficient level of detail that accurately defines the 
business need within specified scope 

2. Validate requirements meet the business need 

3. Verify requirements are acceptable quality 

4. Solution Assessment and Validation 

Solution Assessment and Validation describes how to assess proposed solutions to determine which 
solution best fits the business need, identify gaps and shortcomings in solutions, and determine necessary 
workarounds or changes to the solution. It also describes how we assess deployed solutions to see how well 
they met the original need in order to enable businesses to assess the performance and effectiveness of 
projects. 

Purpose 

Assess solutions to ensure that strategic goals are met and requirements are satisfied. 

The Information Technology Project Management class will cover: 

1. Requirements Management and Communication 

Requirements Management and Communication describes how we manage conflicts, issues and changes 
and ensure that stakeholders and the project team remain in agreement on the solution scope. Depending on 
the complexity and methodology of the project, this may require that we manage formal approvals, baseline 
and track different versions of requirements documents, and trace requirements from origination to 
implementation. 
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Purpose 

1. Recognize that communication takes places throughout all knowledge areas and is important for 
managing requirements 

2. Manage the approved solution and requirements scope 

3. Ensure stakeholders have access to business analysis work products 

4. Prepare and communicate requirements to stakeholders 

5. Facilitate enterprise consistency and efficiency by re-using requirements whenever possible 

2. Business Analysis Planning and Monitoring 

Business Analysis Planning and Monitoring describes how to determine which activities are necessary to 
perform in order to complete a business analysis effort. It covers identification of stakeholders, selection of 
business analysis techniques, the process we will use to manage our requirements, and how we assess the 
progress of the work in order to make necessary changes in work effort. Business analysis planning is a key 
input to the project plan, and project management responsibilities include organizing and coordinating 
business analysis activities with the needs of the rest of the project team. 

Purpose 

1 .Plan the execution of business analysis tasks 

2. Update or change the approach to business analysis as required 

3. Assess effectiveness of and continually improve business analysis practices 

3. Business Analysis Techniques 

Various business analysis techniques will be discussed (see the International Institute of Business Analysis 
(IIBA) certification CBOK for specific details). 

Other certificate programs in Information Security, Java Programming or Microsoft software products can be 
designed by covering the CBOK from each of these certification bodies. 

Fees 


Typically, each 4-5 full-day class will cost a student between $1,200 and $3,200 depending on the resources 
to be provided, for example, lab facilities, computer usage, type of software used in class and class materials 
provided. 

AUTHOR INFORMATION 

Benjamin Khoo completed his Ph.D. (Information Systems) at the University of Maryland, Baltimore County. He is 
a member of two honor societies and was awarded the Phi Kappa Phi Dissertation Research Grant. He has published 
annually in the major information systems publications. He is interested in both basic and applied research to further 
the effectiveness, usability, and ultimately the utility of information systems; and also the pedagogical issues related 
to these areas. Prior to becoming an academician, he was a member of the Technical Staff (Software Engineer) of a 
large telecommunication corporation. 

Peter Harris is a professional accountant and is an Associate Professor of Accounting at The New York Institute of 
Technology. He completed his MBA degree at Columbia University in New York City. He has served in curriculum 
committees for the Chartered Financial Analyst Institute, The American College and has introduced registered 
Certified Financial Planner and Chartered Fife Underwriter programs at The New York Institute of Technology. He 
has also worked for Ernst and Young FFP and is a member of several professional organizations. 
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APPENDICES 

Appendix 1 

Glossary: 

An- 

Net work+ 

Security+ 

CISSP Certified Information Systems Security Professional 

SSCP System Security Certified Practitioner 

CISM Certified Information Security Manager 

CISA Certified Information Security Auditor 

SCNP Security Certified Network Professional 

SCNA Security Certified Network Architect 

GSEC GIAC Security Essentials Certification 

GSLC GIAC Security Leadership Certification 

GSE GIAC Security Expert 

GISF GIAC Information Security Fundamentals 
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Information Security Career Track Contract 

for curriculum years 2008 - 2009 and later 


WARNING - THIS CONTRACT CANNOT BE USED 
IF YOU ARE ON A CURRICULUM YEAR 2007-2008 OR EARLIER 


Curriculum Year 


Student Name (print last name, first name) 


Student Id 

I have selected the Information Security Career Track. In fulfillment of the requirements for my chosen career 
track, I will complete the following courses: 



Required IS Courses 

Credits 

Completed 

1 

IS595 Information Systems for Management 

3 


2 

IS601 Research Methods in Information Systems 

3 


3 

IS710 Systems Hardware and Software 

3 


4 

IS720 Database Management Systems 

3 


5 

IS715 Systems Analysis and Design 

3 


6 

IS750 Data Communications and Networks 

3 


7 

IS745 Information Systems Strategy and Management 

3 


8 

IS747 IS Project Management 

3 



I will select 4 career track courses from the following: 


Required Courses 

Credits 

Take 

Completed 

IS 755 Security Risk Analysis 

3 

X 


IS 757 Information Security 

3 

X 


Supplemental Electives 


IS 706 Cyber Law, Policy and Ethics OR 

3 



IS 705 Electronic Business. 

3 



Total Required Option Courses (3 courses) 


9 



Student Signature 


Advisor Signature 


Date 


Advisor Printed Name 


77 





American Journal of Business Education - March/April 2009 
Appendix 3 


Volume 2, Number 2 


A Sample Expanded Course Outline for IS755 

Course title: Security Risk Analysis 
Course number: IS755 
Date prepared: May 1, 2008 

Section A 

1. Catalogue description 

In this course, we discuss IS audit services in accordance with IS audit standards, guidelines and best practices 
to assist the organization in ensuring that its information technology and business systems are protected and 
controlled. A set of analytical tools for quantifying risk, costs and benefits of mitigation methods will be 
discussed. The feasibility of technical solutions as applied to various cases will also be presented. Prerequisite: 
IS595 

2. Required background or experience 

1. Prerequisites. IS 595 

2. Prerequisites justification. Problems and projects in the course require knowledge of managerial principles 
used by contemporary business organizations and basic microcomputer skills. 

3. General education contribution. The student is expected to learn risk analysis as part of an organization 
wide information quality assurance program, where supporting business objectives or mission requires 

• Identification of customer requirements 

- Sensitivity of information 

- Availability of the system or application 

• Basic enterprise requirements include 

- Information classification 

- Business Impact Analysis (BIA) 

- Risk analysis 

- Intellectual property safeguards 

3. Expected outcomes 

It is expected that students will learn to: 

1. Analyze Risk by: Identifying the Asset, Ascertaining the Risk, Determining the Vulnerability and 
Implementing the Corrective Action, 

2. Identify potential undesirable or unauthorized events, “RISKS,” that could have a negative impact on the 
Integrity, Confidentiality, or Availability of information by, or flowing through, an application or system, 
and 

3. Identify potential “CONTROLS” to reduce or eliminate the impact of RISK events determined to be of 
MAJOR concern, so as to: 

a. Maintain customer, constituent, stockholder, or taxpayer confidence in the organization. 

b. Protect confidentiality of sensitive information (personal, financial, trade secret, etc.) 

c. Protect sensitive operational data from inappropriate disclosure 

d. Avoid third-party liability for illegal or malicious acts committed with the organization’s systems 

e. Ensure that organization computer, network, and data are not misused or wasted 

f. Avoid fraud 

g. Avoid expensive and disruptive incidents 

h. Comply with pertinent laws and regulations 

i. Avoid a hostile workplace atmosphere 
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4. Text and references 

Peltier, Thomas R.; Information Security Risk Analysis ', Auerbach Publishing, Boca Raton, FL, 2001. ISBN: 0- 
8493-3346-6 

5. Special or unique student materials: 

Students should have access to a computer with Microsoft Office and with access to the Internet. 

_Zip Disk _Calculator _Camera _X Laptop 

_Floppy Disk _Graph Paper _Video Camera _X Computer 

_CD-Rom Writing Pad _Videotape _Other 

6. Special or unique university facilities 

Classroom projection facilities for lectures and demonstrating applications. University-supported computer 
laboratories in which students can work with the application software are very helpful. 


_X_Computer Lab 

_Computer Connection 

“Smart” Classroom (one workstation) 

File Server 

X White Board/Markers 

_X_Overhead Screen 

_Computer Projector 

_VCR 

_Microphone 

_Laser Pointer 

_X_Printer 

_Moveable Classroom Furniture 

X Internet Connection 

Laptop Ports 

Other 


7. Expanded description of the course and instructional methods 

a. Instructional methods used in this course include lectures, class discussions, and in-class demonstrations 

1. Lectures are used to clarify and supplement text readings. 

2. Class discussions and in-class demonstrations are used to facilitate student understanding and provide 
integration of course material within the business educational domain. 

3. Projects and assignments reinforce students’ understanding of current issues in IS. 

b. Students are expected to assimilate a significant portion of course content through self-study of the 
readings, textbook and instructor-provided materials. 

c. The research paper allow the students to put into practice what they have learned and exercise the students’ 
ability to conduct research in IS. The instructor will provide assistance and guidance in the research and 
writing the paper. 

d. One research paper is required. More detailed discussion of the papers will be done in class. The length of a 
research paper is typically between 7 to more than 20 pages depending on the publication. 

Topic area: Any issue related to IS Security Risk Analysis or Assessment. 

The information for the paper should come from current literature — current means from 2005-2007. 
Source material should be copied and attached to your paper. You also need to cite your source within the 
paper. Assistance on “how-to” for a research paper can be found at 
http://owl.english.purdue.edu/workshops/hypertext/ResearchW/index.html and the APA style format guide 
can be found at http://owl.english.purdue.edu/owl/resource/560/01/ Note: Most publications provide 
their guidelines for formatting the research paper to be published. 

_X Lecture _Cases _Individualized Instruction 

_X Lecture/Discussion _Open Lab _Cooperative Learning 

_Seminar _Videotapes _Distance Learning 

_X Project _Other 
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Methods of evaluating outcomes 


1 Research Paper: 
Examinations: 

2 Assignments: 

Class Participation: 

Evaluation Tools: 

Individual Paper: _20_% 

Group Paper:_% 

Individual Presentation_% 

Group Presentation _% 


20% of final grade 
20% Mid-term Exam 
20% Final Exam 
15% + 15% 

10% of final grade 


Tests & Exams _40_% 

Quizzes_% 

Peer Evaluation_% 

Participation_% 


Individual Project _30_% 

Team Project_% 

Outside/Expert Evaluations_% 

Other: _Participation _10_% 


9. Independent Work 

All work is to represent the student’s own efforts. Students are permitted to seek help in clarifying paper 
requirements or related concepts, but all materials submitted must represent original work by each student. 
Students MUST not duplicate work done by others. Students not adhering to this policy is subject to 
disciplinary action (see the University Catalog for specific penalties). 


Important Resource Link: 


Research & Writing: 

httt>://www.cs. cmu.edu/afs/cs.cmu.edu/user/mleone/web/how-to.html 

ISWorld Ph.D. Page: 

httn://www.is world, ore/phd/phd.htm 

Research & Writing: ISWorld Research Resources: 

httt)://www.isworld.ore/#research 


Section B 


Week# 

Material Covered 

Presentation 

Assignment/Paper 

Week 1 

Introduction to the course & Syllabus 

Risk Management 

Slides 1 

Research Paper assigned 

Week 2 

Risk Assessment Process 

Slides2 


Week 3 

Quantitative vs Qualitative Risk Assessment I 

Slides3 


Week 4 

Quantitative vs Qualitative Risk Assessment II 

Slides4 

Assignment 1 

Week 5 

Other Forms of Qualitative Risk Assessment 

Slides5 


Week 6 

Software Development Risks 

Slides6 

ConstructSwRisk_trl4.94.pdf 

Week 7 

Mid-Term Exam 



Week 8 

Facilitated Risk Analysis and Assessment Process (FRAAP) I 

Slides7 

Assignment 1 due 

Week 9 

Facilitated Risk Analysis and Assessment Process (FRAP) II 

Slides8 


Week 10 

Facilitated Risk Analysis and Assessment Process (FRAP) III 

Slides9 

Assignment 2 

Week 11 

Variations on the FRAAP 

Slides 10 


Week 12 

Mapping Controls 

Slides 12 


Week 13 

Business Impact Analysis 

Slides 13 


Week 14 

Paper Presentations 

Students 

Assignment 2 due 

Week 15 

Risk Assessment Management Summary Report 


Research Paper due 

Week 16 

Final Exam 
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